Bug 463296 - [LTC 6.0 FEAT] 201317:File Capabilities - Userspace
[LTC 6.0 FEAT] 201317:File Capabilities - Userspace
Status: CLOSED CURRENTRELEASE
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: distribution (Show other bugs)
6.0
All All
high Severity high
: beta
: 6.0
Assigned To: Scott Haines
Ben Levenson
: FutureFeature
Depends On: 463297
Blocks: 356741 554559
  Show dependency treegraph
 
Reported: 2008-09-22 16:40 EDT by IBM Bug Proxy
Modified: 2015-01-22 10:29 EST (History)
9 users (show)

See Also:
Fixed In Version: libcap-2.16-5.el6
Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2010-11-10 15:13:06 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description IBM Bug Proxy 2008-09-22 16:40:36 EDT
=Comment: #0=================================================
Emily J. Ratliff <emilyr@us.ibm.com> - 2008-09-16 18:26 EDT
1. Feature Overview:
Feature Id:	[201317]
a. Name of Feature:	File Capabilities - Userspace
b. Feature Description
File capabilities allow an administrator to mark files with POSIX capabilities. When a process is
instantiated from binary, it receives the capabilities with which the on-disk file is marked.
Binaries that would normally require setuid permission can be given only the capabilities required.
The classic example is the ping program. Normally it is setuid because it requires CAP_NET_RAW. With
file capabilities, the binary can be marked on disk as requiring CAP_NET_RAW and no longer needs to
be made setuid. See
http://www.ibm.com/developerworks/library/l-posixcap.html?ca=dgr-lnxw01POSIX-capabilities for more
details. The libcap-2 packages is required for userspace support of the kernel feature.

Additional Comments:	Setting status to green.

2. Feature Details:
Sponsor:	LTC Security
Architectures:
x86
x86_64
ppc64
s390 native
s390 compat
s390x

Arch Specificity: Purely Common Code
Affects Toolchain: Yes
Affects Core Kernel: Yes
Delivery Mechanism: Direct from community
Category:	Security
Request Type:	Package - Feature from Upstream
d. Upstream Acceptance:	Accepted
Sponsor Priority	1
f. Severity: High
IBM Confidential:	no
Code Contribution:	IBM code
g. Component Version Target:	>= libcap-2.04. See
http://ftp.kernel.org/pub/linux/libs/security/linux-privs/libcap2/

3. Business Case
Finer grained control over executable capabilities reduces the danger binaries as they no longer
need to be made setuid and only required capabilities can be given to the process. This will
increase customer security and give Linux a competitive advantage over Windows and Solaris.

4. Primary contact at Red Hat: 
John Jarvis
jjarvis@redhat.com

5. Primary contacts at Partner:
Project Management Contact:
Mounir Bsaibes, bsaibes@us.ibm.com, 512-838-1301

Technical contact(s):
George Wilson, gcwilson@us.ibm.com
Serge Hallyn, sergeh@us.ibm.com

IBM Manager:
Bryan Jacobson, bjacobson@us.ibm.com
Comment 1 Bill Nottingham 2008-10-01 17:22:18 EDT
This version of libcap is already in Fedora 10, so this should not be an issue. Note that further integration and actually using fs capabilities in shipped packages is unfinished work.
Comment 2 Steve Grubb 2008-10-02 09:01:27 EDT
Please note that more than just libcap-2 is needed. We need rpm to support capabilities so that it can be decided in the spec file what they should be. We also need user space tools updated to consider files with security extended attributes to be privileged. We have a tracker bug #449984 that we have been working over the last few months. There is a lot of resistance from the community for this feature as noted in bug #455713 where we tried to get setuid removed from ping.
Comment 3 Panu Matilainen 2008-10-30 14:34:44 EDT
For the record, support for capabilities was recently added to rpm upstream. It's not in any released version yet but that can be expected to change in time for RHEL 6.
Comment 4 IBM Bug Proxy 2009-03-02 18:00:27 EST
As noted in comment #5, userspace file capabilties support is enabled in F10.
Comment 5 releng-rhel@redhat.com 2009-11-06 14:44:49 EST
Fixed in 'libcap-2.16-5.el6', included in compose 'RHEL6.0-20091106.0'.
Moving to ON_QA.
Comment 7 IBM Bug Proxy 2010-05-20 09:21:31 EDT
------- Comment From sergeh@us.ibm.com 2010-05-20 09:12 EDT-------
After 'yum install libcap-devel', the ltp filecaps testcase compile, runs, and passes.
Comment 9 Alexander Todorov 2010-08-21 07:48:34 EDT
[root@ibm-x3950m2-02 6]# pwd
/mnt/redhat/rel-eng/RHEL6.0-20100818.0/6

[root@ibm-x3950m2-02 6]# find -name "libcap-2*"
./WebServer/x86_64/os/Packages/libcap-2.16-5.2.el6.i686.rpm
./WebServer/x86_64/os/Packages/libcap-2.16-5.2.el6.x86_64.rpm
./WebServer/source/SRPMS/libcap-2.16-5.2.el6.src.rpm
./Server/i386/os/Packages/libcap-2.16-5.2.el6.i686.rpm
./Server/source/SRPMS/libcap-2.16-5.2.el6.src.rpm
./Server/s390x/os/Packages/libcap-2.16-5.2.el6.s390.rpm
./Server/s390x/os/Packages/libcap-2.16-5.2.el6.s390x.rpm
./Server/ppc64/os/Packages/libcap-2.16-5.2.el6.ppc.rpm
./Server/ppc64/os/Packages/libcap-2.16-5.2.el6.ppc64.rpm
./Server/x86_64/os/Packages/libcap-2.16-5.2.el6.x86_64.rpm
./Server/x86_64/os/Packages/libcap-2.16-5.2.el6.i686.rpm
./Client/i386/os/Packages/libcap-2.16-5.2.el6.i686.rpm
./Client/source/SRPMS/libcap-2.16-5.2.el6.src.rpm
./Client/x86_64/os/Packages/libcap-2.16-5.2.el6.x86_64.rpm
./Client/x86_64/os/Packages/libcap-2.16-5.2.el6.i686.rpm
./ComputeNode/x86_64/os/Packages/libcap-2.16-5.2.el6.i686.rpm
./ComputeNode/x86_64/os/Packages/libcap-2.16-5.2.el6.x86_64.rpm
./ComputeNode/source/SRPMS/libcap-2.16-5.2.el6.src.rpm
./Workstation/i386/os/Packages/libcap-2.16-5.2.el6.i686.rpm
./Workstation/source/SRPMS/libcap-2.16-5.2.el6.src.rpm
./Workstation/x86_64/os/Packages/libcap-2.16-5.2.el6.x86_64.rpm
./Workstation/x86_64/os/Packages/libcap-2.16-5.2.el6.i686.rpm
./source/SRPMS/libcap-2.16-5.2.el6.src.rpm


see also comment #7
Comment 10 releng-rhel@redhat.com 2010-11-10 15:13:06 EST
Red Hat Enterprise Linux 6.0 is now available and should resolve
the problem described in this bug report. This report is therefore being closed
with a resolution of CURRENTRELEASE. You may reopen this bug report if the
solution does not work for you.

Note You need to log in before you can comment on or make changes to this bug.